To prevent confidential data from leaking out of your organization, your DLP efforts may have to be aimed at two areas: data-at-rest and data-in-motion. In this post, we’ll talk about the former.
Data at rest refers to information stored in employees’ local folders, in databases, in on-site and off-site backup tapes, in servers in a SAN (storage area network), and just about any data that isn’t being transmitted through a network (which is then known as to as data-in-motion).
Compliance standards impacting data at rest
The growing number of data breach incidents and the ensuing cases of identity theft have prompted legislators to create laws designed for protecting personally identifiable information (PII). Many of these laws impact the way you currently deal with data at rest. That is, if you want to avoid onerous obligations and costly penalties, you will have to adopt better ways of securing PII taking the form of data at rest.
Two of the most prominent laws and regulations that are impacting IT systems are HIPAA and GLBA.
With maximum penalties of up to $1.5 million and possible imprisonment, the Health Information Technology for Economic and Clinical Health Act, which is an amended version of the Health Insurance Portability and Accountability Act, is the most feared law in the health care industry.
Aimed at preventing unauthorized disclosures of electronic protected health information (ePHI), HIPAA-HITECH is forcing medical practitioners, health care providers, hospitals, and their business associates to review the security of data at rest in their EHRs (Electronic Health Records) and similar IT systems.
While HIPAA-HITECH deals with ePHI, which is basically PII found alongside medical information, the GLBA (Gramm-Leach-Bliley Act), on the other hand, focuses on nonpublic personal information or NPI. This is just the name given to PII found alongside financial information, examples of which include: SSNs, people’s names, addresses, phone numbers, bank account numbers, credit card numbers, as well as income and credit histories.
These information are commonly stored in a typical financial institution’s database. If they end up in the wrong hands, the financial institution in question could end up paying $100,000 per violation, while its officers and directors can be fined with up to $10,000 per violation.
Other laws and regulations that call for better protection of data at rest include PCI-DSS (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley Act), and all those state/territorial data breach notification laws.
How to secure data at rest
With so many regulations to look out for, the need to seek out better ways of protecting data-at-rest is now more pressing than ever. You can start by implementing good practices, particularly when dealing with sensitive information.
For instance, you can begin by reducing the amount of sensitive data that you collect from employees and customers. Sensitive data that you already have that aren’t really business critical should likewise be discarded in a secure fashion. The objective of both exercises is to reduce the exposure to risks.
Those sensitive data that really have to be retained need to be identified and located. Knowing ‘what they are’ will help you pinpoint which laws and regulations you are answerable to. On the other hand, knowing ‘where they are’ will help you carry out your data protection initiatives more effectively and efficiently.
Once you’ve identified which data need protection and where you can find them, you can then implement various data protection schemes such as encryption, authentication mechanisms, access control, and so on. Want a clear example? You're in for luck. In my next posts, I'll talk about how you can use encrypted filesystems and OpenPGP with JSCAPE MFT Server to secure data at rest. In the meantime, I hope you learned something from this article. Have a nice day.
Laws and regulations impacting IT systems mostly require covered entities to protect data at rest. This post defined what data at rest is.